integration: gencerts.sh cleanup and supports no-CN certs

integration/fixtures/gencerts.sh: - refactored common logic to a helper function - added definition for client-nocn certificate (used for grpc-proxy -> etcd-server) communication.
2020-09-07 11:47:24 +02:00 · 2020-09-07 11:47:24 +02:00 · 966e8cecf0
parent c20cc05fc5
commit 966e8cecf0
2 changed files with 47 additions and 52 deletions
--- a/integration/fixtures/client-ca-csr-nocn.json
+++ b/integration/fixtures/client-ca-csr-nocn.json
@ -0,0 +1,20 @@
+{
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "O": "etcd",
+      "OU": "etcd Security",
+      "L": "San Francisco",
+      "ST": "California",
+      "C": "USA"
+    }
+  ],
+  "CN": "",
+  "hosts": [
+    "127.0.0.1",
+    "localhost"
+  ]
+}
--- a/integration/fixtures/gencerts.sh
+++ b/integration/fixtures/gencerts.sh
@ -1,5 +1,7 @@
 #!/bin/bash

+set -e
+
 if ! [[ "$0" =~ "./gencerts.sh" ]]; then
  echo "must be run from 'fixtures'"
  exit 255
@ -7,68 +9,51 @@ fi

 if ! which cfssl; then
  echo "cfssl is not installed"
+  echo "use: go install -mod mod github.com/cloudflare/cfssl/cmd/cfssl github.com/cloudflare/cfssl/cmd/cfssljson"
  exit 255
 fi

 cfssl gencert --initca=true ./ca-csr.json | cfssljson --bare ./ca
 mv ca.pem ca.crt
+
 if which openssl >/dev/null; then
  openssl x509 -in ca.crt -noout -text
 fi

+# gencert [config_file.json] [cert-name]
+function gencert {
+  cfssl gencert \
+    --ca ./ca.crt \
+    --ca-key ./ca-key.pem \
+    --config ./gencert.json \
+    $1 | cfssljson --bare ./$2
+  mv $2.pem $2.crt
+  mv $2-key.pem $2.key.insecure
+}
+
 # generate DNS: localhost, IP: 127.0.0.1, CN: example.com certificates
-cfssl gencert \
-  --ca ./ca.crt \
-  --ca-key ./ca-key.pem \
-  --config ./gencert.json \
-  ./server-ca-csr.json | cfssljson --bare ./server
-mv server.pem server.crt
-mv server-key.pem server.key.insecure
+gencert ./server-ca-csr.json server
+
+#generates certificate that does not contain CN, to be used for proxy -> server connections.
+gencert ./client-ca-csr-nocn.json client-nocn

 # generate DNS: localhost, IP: 127.0.0.1, CN: example.com certificates (ECDSA)
-cfssl gencert \
-  --ca ./ca.crt \
-  --ca-key ./ca-key.pem \
-  --config ./gencert.json \
-  ./server-ca-csr-ecdsa.json | cfssljson --bare ./server-ecdsa
-mv server-ecdsa.pem server-ecdsa.crt
-mv server-ecdsa-key.pem server-ecdsa.key.insecure
+gencert ./server-ca-csr-ecdsa.json server-ecdsa

 # generate IP: 127.0.0.1, CN: example.com certificates
-cfssl gencert \
-  --ca ./ca.crt \
-  --ca-key ./ca-key.pem \
-  --config ./gencert.json \
-  ./server-ca-csr-ip.json | cfssljson --bare ./server-ip
-mv server-ip.pem server-ip.crt
-mv server-ip-key.pem server-ip.key.insecure
+gencert ./server-ca-csr-ip.json server-ip

 # generate IPv6: [::1], CN: example.com certificates
-cfssl gencert \
-  --ca ./ca.crt \
-  --ca-key ./ca-key.pem \
-  --config ./gencert.json \
-  ./server-ca-csr-ipv6.json | cfssljson --bare ./server-ip
-mv server-ip.pem server-ipv6.crt
-mv server-ip-key.pem server-ipv6.key.insecure
+gencert ./server-ca-csr-ipv6.json server-ipv6

 # generate DNS: localhost, IP: 127.0.0.1, CN: example2.com certificates
-cfssl gencert \
-  --ca ./ca.crt \
-  --ca-key ./ca-key.pem \
-  --config ./gencert.json \
-  ./server-ca-csr2.json | cfssljson --bare ./server2
-mv server2.pem server2.crt
-mv server2-key.pem server2.key.insecure
+gencert ./server-ca-csr2.json server2

 # generate DNS: localhost, IP: 127.0.0.1, CN: "" certificates
-cfssl gencert \
-  --ca ./ca.crt \
-  --ca-key ./ca-key.pem \
-  --config ./gencert.json \
-  ./server-ca-csr3.json | cfssljson --bare ./server3
-mv server3.pem server3.crt
-mv server3-key.pem server3.key.insecure
+gencert ./server-ca-csr3.json server3
+
+# generate wildcard certificates DNS: *.etcd.local
+gencert ./server-ca-csr-wildcard.json server-wildcard

 # generate revoked certificates and crl
 cfssl gencert --ca ./ca.crt \
@ -80,14 +65,4 @@ mv server-revoked-key.pem server-revoked.key.insecure
 grep serial revoked.stderr | awk ' { print $9 } ' >revoke.txt
 cfssl gencrl revoke.txt ca.crt ca-key.pem | base64 --decode >revoke.crl

-# generate wildcard certificates DNS: *.etcd.local
-cfssl gencert \
-  --ca ./ca.crt \
-  --ca-key ./ca-key.pem \
-  --config ./gencert.json \
-  ./server-ca-csr-wildcard.json | cfssljson --bare ./server-wildcard
-mv server-wildcard.pem server-wildcard.crt
-mv server-wildcard-key.pem server-wildcard.key.insecure
-
-
 rm -f *.csr *.pem *.stderr *.txt